Hi all, I'm wondering if there is a way to rotate TLS certs/keys on the fly (without stopping an instance) for Redis Sentinels.
For Redis Servers (DB mode) it is possible to use
CONFIG SET tls-cert-file xxx
CONFIG SET tls-cert-key yyy
And those commands work as expected - once they are executed server now works with newly provided certs.
However for sentinels any of:
- CONFIG SET
- SENTINEL CONFIG SET
- SENTINEL SET
Do not seem to support changing tls-cert-file or tls-cert-key options.
Question:
Is there any reason for why this functionality is supported in DB mode, but not Sentinel mode? Will it be possible for the team to look into adding this functionality?
Comment From: artikell
Can you confirm your version and your compilation logic? It seems that there will be relevant configurations only in the case of USE_OPENSSL.
Comment From: aKaravanov
@artikell I'm using Redis docker image with version 6.2.8.
The way I currently configure TLS for sentinel mode is by setting the following command-line parameters: - tls-port - tls-cert-file - tls-key-file - tls-ca-cert-file - tls-auth-clients - tls-protocols - tls-replication
In other words, I do not explicitly set USE_OPENSSL anywhere in the configurations.
Comment From: artikell
It seems that this operation is not supported, but I think it is indeed a capability that can be supported. Perhaps this can be evaluated by others.
Comment From: aKaravanov
Thanks @artikell, will be great if team could look into this.
Comment From: garry-t
@aKaravanov question to you, are you using self-signed certificates or letsencrypt? if letsencrypt share your experience, pls.
Comment From: chdeliens
Hi everyone!
Same "problem" here.
I'm setting up a PKI in Vault, and have Kubernetes cert-manager provision new certificates.
I could automate (via a sidecar container ) the CONFIG SET ... whenever a new certificate is available for the Redis DB, but the Sentinel eventually fails since it has an expired certificate and restarts.
I'd also like to find a way to inform the Sentinel to reload its TLS configuration and would be happy to further discuss this matter with the Redis team :)
Cheers!